CVE-2026-4681 is an unauthenticated remote code execution vulnerability in PTC Windchill and FlexPLM affecting all supported versions, with no patch currently available — making this the highest operational risk item in this rollup. Exploitation requires no authentication and no user interaction, and credible threat intelligence prompted German federal law enforcement (BKA) to conduct in-person alerts to affected organizations. Organizations should immediately apply PTC’s servlet path-based workarounds, isolate these systems from direct internet access, and hunt for web shell drops and anomalous child processes on application server hosts.